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Lossy channel systems (LCS's) are systems of tinite state processes that communicate via um'ehable unbounded 
fifo channels. We introduce NPLCS's, a variant of LCS's where message losses have a probabilistic behavior 
while the component processes behave nondeterministically, and study the decidability of qualitative verification 
problems for co-regular Hnear-time properties. 

We show that - in contrast to finite-state Markov decision processes - the satisfaction relation for hnear- 
time formulas depends on the type of schedulers that resolve the nondeterminism. While the qualitative model 
checking problems for the full class of history-dependent schedulers is undecidable, the same questions for finite- 
memory schedulers can be solved algorithmically. Additionally, some special kinds of reachability, or recurrent 
reachability, qualitative properties yield decidable verification problems for the full class of schedulers, which - 
for this restricted class of problems - are as powerful as finite-memory schedulers, or even a subclass of them. 
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1. INTRODUCTION 

Channel systems [Brand and Zafiropulo 1983] are systems of finite-state components that 
communicate via asynchronous unbounded fifo channels. See Fig. 1 for an example of a 
channel systems with two components £1 and E2 that communicate through fifo channels 
c\ and C2. Lossy channel systems [Finkel 1994; Abdulla and Jonsson 1996b] are a spe- 
cial class of channel systems where messages can be lost while they are in transit, without 
any notification. Considering lossy systems is natural when modeling fault-tolerant pro- 
tocols where the communication channels are not supposed to be reliable. Additionally, 
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the lossiness assumption makes termination and safety properties decidable [Pachl 1987; 
Finkel 1994; Cece et al. 1996; AbduUa and Jonsson 1996b]. Several important verification 




Fig. 1. A channel system: Ei and £2 communicate tlirough channels ci and C2. 

problems are undecidable for these systems, including recurrent reachability, liveness prop- 
erties, boundedness, and all behavioral equivalences [Abdulla and Jonsson 1996a; Schnoe- 
belen 2001; Mayr 2003]. Furthermore, the above-mentioned decidable problems cannot 
be solved in primitive -recursive time [Schnoebelen 2002]. 

Verifying Liveness Properties. Lossy channel systems are a convenient model for ver- 
ifying safety properties of asynchronous protocols, and such verifications can sometimes 
be performed automatically [Abdulla et al. 2004] . However, they are not so adequate for 
verifying liveness properties. A first difficulty here is the undecidability of liveness prop- 
erties. 

A second difficulty is that the model itself is too pessimistic when liveness is considered. 
Protocols that have to deal with unreliable channels usually have some coping mechanisms 
combining resends and acknowledgments. But, without any assumption limiting message 
losses, no such mechanism can ensure that some communication will eventually be ini- 
tiated. The classical solution to this problem is to add some fairness assumptions on the 
channel message losses, e.g., "if infinitely many messages are sent through the channels, 
infinitely many of them will not be lost". However, fairness assumptions in lossy channel 
systems make decidability more elusive [Abdulla and Jonsson 1996a; Masson and Schnoe- 
belen 2002]. 

Probabilistic Losses. When modeling protocols, it is natural to see message losses as 
some kind of faults having a probabilistic behavior Following this idea, Purushothaman 
Iyer and Narasimha [1997] introduced the first Markov chain model for lossy channel sys- 
tems, where message losses (and other choices) are probabilistic. In this model, verification 
of qualitative properties is decidable when message losses have a high probability [Baier 
and Engelen 1999] and undecidable otherwise [Abdulla et al. 2005]. An improved model 
was later introduced by Abdulla et al. [2005] where the probability of losses is modeled 
more faithfully and where qualitative verification (and approximate quantitative verifica- 
tion [Rabinovich 2003]) is decidable independently of the likelihood of message losses. 
See the survey by Schnoebelen [2004] for more details. 

These models are rather successful in bringing back decidability. However, they assume 
that the system is fully probabilistic, i.e., the choice between different actions is made 
probabilistically. But when modeling channel systems, nondeterminism is an essential 
feature. It is used to model the interleaved behavior of distributed components, to model 
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an unknown environment, to delay implementation choices at early stages of the design, 
and to abstract away from complex control structures at later stages. 

Our Contribution. We introduce Nondeterministic Probabilistic Lossy Channel Sys- 
tems (NPLCS), a new model where channel systems behave nondeterministically while 
messages are lost probabilistically, and for which the operational semantics is given via 
infinite-state Markov decision processes. For these NPLCS's, we study the decidability of 
qualitative co-regular linear-time properties. We focus here on "control-based" properties, 

1. e., temporal formulas where the control locations of the given NPLCS serve as atomic 
propositions. 

There are eight variants of the qualitative verification problem for a given co-regular 
property (p and a starting configuration s, that arise from 

— the four types of whether (p should hold almost surely (that is, with probability 1), with 
positive probability, with zero probability or with probability less than 1 

— existential or universal quantification over all schedulers, i.e., instances that resolve the 
nondeterministic choices. 

By duality of existential and universal quantification, it suffices to consider the four types 
of probabilistic satisfaction and one variant of quantification (existential or universal). We 
deal with the case of existential quantification since it is technically more convenient. 

Our main results can be summarized as follows. First, we present algorithms for reach- 
ability properties stating that a certain set of locations will eventually be visited. We then 
discuss repeated reachability properties. While repeated reachability problems with the 
three probabilistic satisfaction relations "almost surely", "with zero probability" and "with 
probability less than 1" can be solved algorithmically, the question whether a certain set 
of locations can be visited infinitely often "with positive probability" under some sched- 
uler is undecidable. It appears that this is because schedulers are very powerful (e.g., they 
need not be recursive). In order to recover decidability without sacrificing too much of the 
model, we advocate restricting oneself to finite-memory schedulers, and show this restric- 
tion makes the qualitative model checking problem against co-regular properties decidable 
for NPLCS's. 

This article is partly based on, and extends, material presented in [Bertrand and Sch- 
noebelen 2003; 2004]. However, an important difference with this earlier work is that the 
NPLCS model we use does not require the presence of idling steps (see Remark 2.3 be- 
low). This explains why some of the results presented here differ from those in [Bertrand 
and Schnoebelen 2003; 2004]. 

Outline of the Article. Section 2 introduces probabilistic lossy channel systems and their 
operational semantics. Section 3 establishes some fundamentals properties, leading to al- 
gorithms for reachability and repeated reachability problems (in section 4). Section 5 
shows that some repeated reachability problems are undecidable and contains other lower- 
bound results. Section 6 shows decidability for problems where attention is restricted to 
finite-memory schedulers, and section 7 shows how positive results for Streett properties 
generalize to arbitrary co-regular properties. Finally, section 8 concludes the article. 

2. NONDETERMINISTIC PROBABILISTIC CHANNEL SYSTEMS 

Lossy channel systems. A lossy channel system (a LCS) is a tuple L ~ (g,C, M,A) 
consisting of a finite set Q = {p,q, . . .} of control locations (also called control states), a 
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finite set C = {c, . . .} of channels, a finite message alphabet M = {to, . . .} and a finite set 
A = {8, . . .} of transition rules. Each transition rule has the form q'^ p where op is an 
operation of the form 

— c!to (sending message to along channel c), 

— c?TO (receiving message to from channel c), 

— y/ (an internal action to some process, no I/O-operation). 

The control graph of L is the directed graph having the locations of L as its nodes and 
rules from A for its edges. It is denoted with Graph{Q), and more generally Graph(A) for 
ACQ denote the control graph restricted to locations in A. 

Our introductory example in Fig. 1 is turned into a LCS by replacing the two finite-state 
communicating agents £1 and E2 by the single control automaton one obtains with the 
asynchronous product £1 x £2- 

Operational Semantics. Let L ~ (2,C, M,A) be a LCS. A configuration, also called 
global state, is a pair {q, w) where q GQisa location and w : C ^ M* is a channel valuation 
that associates with any channel its content (a sequence of messages). We write M**" 
for the set of all channel valuations, or just M* when |C| = I. The set Q x M*^ of all 
configurations is denoted by Conf. With abuse of notations, we shall use the symbol e for 
both the empty word and the channel valuation where all channels are empty. If i = {q,w) 
is a configuration then we write |i| for the total number of messages in s, i.e., \s\ = \w\ = 

We say that a transition rule 5^ q'-^ p is enabled in configuration s — (r, w) iff 

(1) the current location is q, i.e., r = q, and 

(2) performing op is possible. This may depend on the channels contents: sending and in- 
ternal actions are always enabled, while a receiving dm is only possible if the current 
content of channel c starts with the message to, i.e., if the word w{c) belongs to toM*. 

For s a configuration, we write A(.s') for the set of transition rules that are enabled in s. 

When 8 = p ^ ^ is enabled in i = {q,w), firing 8 yields a configuration s' — {p,op{w)) 
where op{w) denotes the new contents after executing op: 

— ^if op = y/, then op{w) = w, 

— if op ~ dm, then op{w)(c) — w{c)m, and op(w)(c') — w(c') fore 7^ c', 
— if op — dm (and then w{c) is some to/j since 8 was enabled), then op{w){c) ~ /j, and 
op{w){c') = w(c') for c 7^ c'. 

We write s — >perf s' when s' is obtained by firing 8 in s. The "perf subscript stresses that 
the step is perfect: no messages are lost. 

However, in lossy systems, arbitrary messages can be lost. This is formalized with 
the help of the subword ordering: we write fJ Q fj' when /j is a subword of /j', i.e., /j 
can be obtained by removing any number of messages from /j', and we extend this to 
configurations, writing {q,w) C {q\w') when q = q' and w{c) C w'(c) for all c S C. By 
Higman's Lemma, C is a well-quasi-order between configurations of L [Abdulla et al. 
2000; Finkel and Schnoebelen 2001]. 
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Now, we define lossy steps by letting s s" whenever there is a perfect step s ipeif s' 

such that s" Q s'.^ This gives rise to a labeled transition system LTSj: (Conf,A,^). 
Here the set A of transition rules serves as action alphabet. 

Remark 2.1. In the following we only consider LCS's where, for any location q E Q, 
A contains at least one rule q'^ p where op is not a receive operation. This ensures that 
LTSx, has no terminal configuration, where no rules are enabled. □ 

Notation 2.2 (Arrow-notations). Let i, f G Conf be configurations. We write s ^ t 
if i — > f for some 5. As usual, — > (resp. ^) denotes the transitive (resp. reflexive and 
transitive) closure of Let ^ be ^ or For T C Conf, we write s-^T when t 
for some t G T. When X C g is a set of locations s ^ X means that s ^ {x, w) for some 
X £X (and for some w). 

We also use a special notation for constrained reachability: ^ ^[x] t rneans that there 
is a sequence of steps going from configuration 5 to f and visiting only locations from X, 
including at the two extremities s and t. With s — ^[x) t we mean that the constraint does 

not apply to the last configuration. Hence * — >[x) ^ is always true, even with empty X. The 
following equivalence links the two notions: 



t iff 



: t or 3s' (s ^ s' and s' 



□ 



We recall that in LCS's the following constrained reachability questions: "given s, t config- 
urations, X (- Q and — >, — >} does i ^[x] t (or s ^[x) 0?" are decidable [Abdulla 
and Jonsson 1996b; Schnoebelen 2002]. 

The MDP-semantics. Following Bertrand and Schnoebelen [2003; 2004], we define 
the operational behavior of a LCS by an infinite-state Markov decision process. A NPLCS^ 
9\C = {l,z) consists of a LCS L and a fault rate ZE (0,1) that specifies the probability that 
a given message stored in one of the message queues is lost during a step. In the sequel, for 
w, w' e M**", we let P/f„r(w, w') denote the probability that channels containing w change 
to w' within a single step as a result of message losses. This requires losing \w\ — |w'| 
message at the right places. Formally, we let 

P,„.„(vv,Vv')'=i:''Tl'^|-|"''l-(l-T)l"''l-(^,) (1) 

where the combinatorial coefficient , is the number of different embeddings of w' in w. 
For instance, in the case where w = aaba, one has 

nn - (t") - 3, ("t) - {"t") - 2, = l if W e {^,b,aaa,aabM,aaba} 

and {"'^^,") = in all other cases. Note that, e.g., W = aa can be obtained from w = aaba 
in three different ways (by removing the b and either the first, second or third a), while 



Note that, with this definition, message losses can only occur after perfect steps (thus, not in the initial config- 
uration). This is usual for probabilistic models of LCS's, while nondeterministic models of LCS's usually allow 
losses both before and after perfect steps. In each setting, the chosen convention is the one that is technically 
smoother, and there are no real semantic differences between the two. 

^The starting letter "N" in NPLCS serves to indicate that we deal with a semantic model where nondeterminism 
and probabilities coexist, and thus, to distinguish our approach from interpretations of probabilistic lossy channel 
systems by Markov chains. 
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vJ = ba is obtained from w in a unique way (by removing the first two a's). See [Abdulla 
et al. 2005] for more details. Here, it is enough to know that ('^/) 7^ iff w' C w and that 
the probabilities add up to one: for all w, Lir'P/oif(M'iM'') = 1- 

def 

The Markov decision process associated with 5V; is MDP^ ~ (Conf, AjPjy- ). The step- 
wise probabilistic behavior is formalized by a three-dimensional transition probability ma- 
trix P,^ : Conf X A X Conf [0,1]. For a given configuration s and a transition rule 5 that is 
enabled in s, 5, •) is a distribution over the states in MDP^ , while («, 5, •) =0 for 

any transition rule 5 that is not enabled in s. The intuitive meaning of Pjy- (i,5,r) = A- > 
is that with probability the system moves from configuration s to configuration t when 
5 is the chosen transition rule in s. Formally, if s = w), f = {p^vJ), and p\& 
enabled in s, then 

P^^(*,5,f) =P,,,„(op(w),w'). (2) 
See Fig. 2 for an example where s = {q,ab) and 5 = q ^ p. 




Fig. 2. From a LCS £ to MPD^ 



A consequence of (1) and (2) is that the labeled transition system underlying MDPj: is 
exactly LTSx, ■ Hence any path in MDPj^ is also a path in LTSj^ and the fact that LTSf^ had 
no terminal configuration implies that there is no terminal state in MDP^ . 

Remark 2.3 (The idling MDP semantics). The above definition of the MDP semantics 
for an NPLCS differs from the approach of Bertrand and Schnoebelen [2003; 2004] where 

each location q is assumed to be equipped with an implicit idling transition rule q^ q. 
This idling MDP semantics allows simplifications in algorithms, but it does not respect 
enough the intended liveness of channel systems (e.g., inevitability becomes trivial) and 
we do not adopt it here. Observe that the new approach is more general since idling rules 
are allowed at any location in L. □ 
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Schedulers (finite-memory, memoryless, blind and almost blind). Before one may 
speak of the probabilities of certain events in an MDP, the nondeterminism has to be re- 
solved by means of a scheduler, also often called adversary, policy or strategy. We will use 
the word "scheduler" for a history-dependent deterministic scheduler in the classification 
of Puterman [1994]. Formally, a scheduler for ?v; is a mapping U that assigns to any finite 
path 7t in a transition rule 5 £ A that is enabled in the last state of TZ? Intuitively, the 
given path K specifies the history of the system, and V (k) is the rule that 11 chooses to fire 
next. 

A scheduler U only gives rise to certain paths in the MDP: we say K = si ^ st ■ ■ ■ 
is compatible with 11 or, shortly, is a 11 -path, if Pjy- (i„,5„,i„+i) > for all « > 1, where 
5„ = 11 {s\ ■ ■ ■ ^ s„) is the transition rule chosen by 11 for the n-th prefix of 7t. In 
practice, it is only relevant to define how 11 evaluates on W -paths. 

In general 11 can be any function and, e.g., it needs not be recursive. It is often useful 
to consider restricted types of schedulers. In this article, the two main types of restricted 
schedulers we use axt finite-memory schedulers, that abstract the whole history into some 
finite-state information, and blind schedulers, that ignore the contents of the channels. 

Formally, a finite-memory scheduler for iAt is a tuple 11 = {U ,D,r[,UQ) where U is a finite 
set of modes, uq G U is the starting mode, D : U x Conf ^ A is the decision rule which 
assigns to any pair {u,s) consisting of a mode u G U and a configuration s a transition 
rule 5 G A(5), and r[: U x Conf U is a next-mode function which describes the mode- 
changes of the scheduler. The modes can be used to store some relevant information about 
the history. In a natural way, a finite-memory scheduler can be viewed as a scheduler in the 
general sense: given a finite path K ~ so ^ si ■ ■ ■ ^ s„ in it chooses D{u, s„) where 
u = r[{uo,sosi...s„) = r|(...ri(ri(Mo,io),«i), ■■■,««)■ 

A scheduler 11 is called memoryless if 11 is finite-memory with a single mode. Thus, 
memoryless schedulers make the same decision for all paths that end up in the same con- 
figuration. In this sense, they are not history-dependent and can be defined more simply 
via mappings 11 : Conf — > A. 

By a blind scheduler, we mean a scheduler where the decisions only depend on the 
locations that have been passed, and not on the channel contents. Hence a blind scheduler 
never selects a reading transition rule. Observe that, since the probabilistic choices only 
affect channel contents (by message losses), all "U -paths generated by a blind 11 visit the 
same locations in the same order More formally, with any initial locations ^o, a blind 
scheduler can be seen as associating an infinite sequence — ^ qi - ■■ of chained 

transition rules and the 1/ -paths are exactly the paths of the form (g'o,wo) (ci\,wi) 
(?2^>V2) ■■■ with Wi C opj{wi-\) for all ; > 0. 

A scheduler is called almost blind if it almost surely eventually behaves blindly. For- 
mally, 11 is almost blind iff there exists a scheduler W and a blind scheduler 'J^ such that 
for all configurations s and for almost all (see below) infinite « -paths Ti = s\ ^ so ^ ■ ■ ■ 
with s = s\, there exists an index n > such that 

— 11 {s\ ^ ■ ■ ■ ^ Si) ~ 'W {s\ ^ ■ ■ ■ ^ Si) for all indices / < n and 
— 11 {si ^ ■ ■ ■ ^ Si) ^ 'P'{si ■ ■ ■ ^ Si) for all indices ; > n. 

Here and in the sequel, the formulation "almost all paths have property x" means that 
the paths where property x is violated are contained in some measurable set of paths that 



^As stated in Remark 2.1, we make the assumption that any configuration has at least one enabled transition rule. 
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has probability measure 0. The underlying probability space is the standard one (briefly 
explained below). 

Stochastic process. Given an NPLCS 0\i and a scheduler U , the behavior of 5\£ under 
U can be formalized by an infinite-state Markov chain MCu . For arbitrary schedulers, the 
states of MC <u are finite paths in 5\t . Intuitively, such a finite path % — — > ■ ■ ■ — > 5„— i — > Sf, 
represents configuration s„, while si ^ ■ ■ ■ ^ i„_i stand for the history how configuration 
s„ was reached.^ If 7t is a finite path ending in configuration s, and n' = n ^ t is n fol- 

def 

lowed by step s ^ t, then the probability (7i,7i') in MC« is defined with {tz,tz') = 
Pr;^ {s, U (7t),f )' according to the chosen rule U (71). In all other cases P,, (7t,7t') = 0. We 
now may apply the standard machinery for Markov chains and define (for fixed starting 
configuration s) a sigma-field on the set of infinite paths starting in s and a probability 
measure on it, see, e.g., [Kemeny et al. 1966; Puterman 1994; Panangaden 2001]. We shall 
write Pr,, (.? |= • • • ) to denote the standard probability measure in MC^ with starting state 
s. 

For U a finite-memory scheduler, we can think of the states in MC^ as pairs (m,s) con- 
sisting of a mode u and a configuration s. In the sequel, we will write rather than (m,s) 
as the intuitive meaning of (m, i) is "configuration s in mode m". For finite-memory sched- 
ulers the successor-states of i„ and their probabilities in MC^ are given by the MDP for 9{, 
in configuration s and the chosen transition rule for s„. That is, if U is some [U ,D,t\,uq), 

def 

we have 'Pu{sint^(u.s)) ~ Py^{s,D{M,s),t), and if u' ^ r|(M,i) then Pu(ii,,fi,') =0. In a 
similar way, we can think of the Markov chains for memoryless or blind schedulers in a 
simpler way. For memoryless schedulers, the configurations of 9\C can be viewed as states 
in the Markov chain MCy , while for blind schedulers we may deal with finite words over 
Q complemented with some current channel contents. 

LTL-notation. Throughout the article, we assume familiarity with linear temporal logic 
(LTL), see, e.g., [Emerson 1990]. We use simple LTL formulas to denote properties of 
paths in MDPj^ . Here configurations and locations serve as atomic propositions: for ex- 
ample OOs (resp. DOjc) means that s G Conf (resp. x £ Q) is visited infinitely many times 
along a path, and x Until s means that the control state remains x until s is eventually 
reached. These notations extend to sets: DOT and DOA for T C Conf and A C Q with ob- 
vious meanings. For A C Q,A£ is the set {{q,e) : q GA} so that OQ^ means that eventually 
a configuration with empty channels is reached. It is well-known that for any scheduler 
tl , the set of paths starting in some configuration s and satisfying an LTL formula, or an 
co-regular property, 9 is measurable [Vardi 1985; Courcoubetis and Yannakakis 1995]. We 
write Pr^ (i |= cp) for this measure. 

Finite attractor. The crucial point for the algorithmic analysis of NPLCS is the fact 
that almost surely, a configuration where all channels are empty will be visited infinitely 
often. If is a scheduler and T a set of configurations then T is called an attractor for 11 
iff Pr^ (s \= nor) — 1 for any starting configuration s. 

Proposition 2.4 (Finite-attractor property for arbitrary schedulers). 
For any scheduler 11, the set ~ ■ q G Q} is a finite attractor for 11. 

"^One often uses informal but convenient formulations such as "scheduler U is in configuration .v", which means 
that a state It in the chain MCu , i.e., a finite path in sy^ , is reached where the last configuration is .v. 
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That is, almost all paths in MC^ visit 2e infinitely often, independent on the starting 
state. We refer to [Bertrand and Schnoebelen 2003; Baier et al. 2006] for formal proofs. 
An intuitive explanation of the result is that when the channels contain n messages, each 
step can only add at most one new message (through a sending action) while on average 
« X T are lost. Thus when n is large, it tends to decrease and this suffices to ensure that 
almost surely all messages will be lost. 

3. SAFE SETS AND PROMISING SETS 

At many places, our arguments use the notion of "safe sets" and "promising sets" of lo- 
cations. In this section we define these notions, relate them to behavioral features, and 
explain how to compute them. 

3.1 Safe sets 

Definition 3.1. Let L = {Q, C, M, A) be a lossy channel system and A C g be a set of 
locations. We say that X CQis safe for A if X C A and (x,e) X for all x e X. 

Assume ACQ. It is easy to see that if X and Y are both safe for A, then XUY is safe 
for A too. The same holds for infinite unions. As a consequence, the largest safe set for A 
exists (union of all safe sets); it is denoted by Safe{A), or Safe when there is no ambiguity 
on A. 

Observe that for any family (A, ),g/ of sets of locations, one has the following inclusions 
Safe(\jA,>j D \JSafe{Ai) Safe{p\A,>j C f]SafeiA,) (3) 

IG/ IG/ !G/ !G/ 

while the reverse inclusions do not hold in general. 

Safe{A) can be computed in linear time: consider Graph{A) the control graph restricted 
to locations of A. Remove from Graph{A) the edges that carry receiving operations ''dm". 
The nodes that have no outgoing edges cannot be in Safe{A): remove them with their in- 
coming edges. This may create new nodes with no outgoing edges that have to be removed 
iteratively. After each iteration, the remaining nodes are a superset of Safe (A). When 
the process eventually terminates, what remains is exactly Safe{A). Indeed the remaining 
nodes form a safe set X: from every x EX there is an outgoing edge y where op is not 
a receiving, hence {x,e) ^ X. 

The following lemma justifies the terminology "safe" and will be very useful in the 
sequel. 

Lemma 3.2. There exists a blind and memoryless scheduler 1I s.t. for all x E Safe(A) 
and all w€ M*S Pru((x,w) |= DA) = 1. 

Proof. Let us describe the scheduler U satisfying DA with probability L For each 
X G Safe{A) fix a rule 5^- : x'^y enabled in {x, e) and with y e Safe{A). One such rule must 
exist by definition of Safe{A). Because y is in Safe, U can go on with 8,, etc... Note that 
the rules used by U do not depend on the channels contents but only on the locations: this 
scheduler U is memoryless and blind. The fact that 11 fulfills the requirement Pr^j ((x, e) \= 
□a) = 1 comes for free from the inclusion Safe{A) C A. □ 

Conversely: 

Lemma 3.3. //Pr„ ((x,e) |= UA) = I for some scheduler U, then x G Safe(A). 
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Proof. Assume Pi.u ((.Y,e) |= DA) = 1. We define Y to be the set of locations tliat can 
be visited along a 'U-path: Y = {q e Q \ 3w, Pr„ ((x,e) |= 0{q,w)) > 0} and show that Y 
is safe for A. We have 7 C A otherwise Pr„ ((x,e) |= DA) would be less than 1. 

Moreover, if Pr^j [{x,^) \= <>{q,w)) >0 for some w thenPr^j ((x,£) |= 0(^,e)) >0. This 
is trivial if ^ = x, and otherwise, losing all messages in the last step leads to (^,e) instead 
of {q,w). Hence there must be some rule enabled in {q,e) that 11 picks to satisfy DA with 
probability one. Let q^ y this rule. Then y is in Y. 

The set Y is safe for A and x ^Y, hence x G Safe{A). □ 

3.2 Promising sets 

Definition 3.4. Let L = {Q, C, M, A) be a lossy channel system and A C g be a set of 
locations. We say that X (- Qis promising for A if (x,e) — A for all x <eX. 

As for safe sets, the largest promising set for A (written Prom{A) or Prom) exists; it is the 
union of all promising sets for A. 

An important property is distributivity with respect to union: 

Lemma 3.5 (See Appendix A). For any family (A,),^/ of sets of locations, 

Prom{\J^Ai^ = y]Prom{Ai). 

iei iei 

With regards to intersection, the following clearly holds: 

Pram(^P|A,'^ C P|Prom(A,) (4) 

iei iei 

but the reverse inclusion does not hold in general. 

The set Prom{A) can be computed for a given A as a greatest fixed point. Let Xq = Q 
be the set of all locations and, for ; = 0, 1, . . ., define as the set of locations x E Xj 
such that (x,e) — ^- The Xt's can be built effectively because constrained reachability 
is decidable for LCS's (as recalled in section 2). The sequence eventually stabilizes since 

def 

^0 = G is finite. When it does X = lim, X, is promising for A. Since each Xj is a superset 
of Prom{A), we end up with X = Prom{A). 

Promising sets are linked to eventuality properties: 

Lemma 3.6. There exists a memoryless scheduler U s.t. for all x G Prom{A) and all 
w e M*S Pr„ {ix,w) 1= OA) = 1. 

Proof. We first describe afinite-memory scheduler 11 that achieves for any x € Prom{A) 
and w e M**", Pr^; |= OA) = 1. Then we explain how a memoryless scheduler can 

do the same thing. 

U has two types of modes, a normal mode for each x e Prom{A), and a recovery mode. 
In normal mode and starting from (x,e) for some x E Prom{A), 11 picks the rule 5i given 

by a fixed path of the form (x, e) — > (jci , wi ) — > • • • A A witnessing x E Prom{A). If after 
firing 5i the next configuration is indeed (xi,wi), 11 stays in normal mode and goes on 
with 82, 53, etc., trying to follow 7i, until A is reached. Whenever the probabilistic losses 
put it out of Kx, i.e., in some (x,, wj) with w\ 7^ w,- (and x,- ^ A), 11 switches to recovery 
mode. 
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In recovery mode and in some configuration (x, , w), Zl performs a rule enabled in , e) 
and leading to a location y E Prom{A) - such a rule exists because jc, € Prom{A), e.g., the 
first rule used in Tt,,. V goes on in recovery mode until all channels are empty. Note that 
in normal mode and in recovery mode all the visited locations are in Prom{A). Because 
of the finite-attractor property, with probability one some configuration (y, e) is eventually 
visited and 11 switches back to normal mode for y. Therefore, and as long as A is not 
visited, some Tlx path is tried and almost surely one of them will be eventually followed to 
the end. Hence Pr^ ((x,w) \= OA) = 1. Observe that 11 does not depend on x (nor on w) 
and is finite memory. 

We can even design a memoryless scheduler, the so-called stubborn scheduler. For this, 
it is enough to ensure that the set of paths {T^x)y:eProm(A) on which 11 relies are such that 
every occurring configuration is followed by the same next configuration. That is, the paths 
may join and fuse, but they may not cross and diverge (nor loop back). This way, U can 
base its choices on the current configuration only. Whether it is in "normal" or "recovery" 
mode is now based on whether the current configuration occurs in the set of selected paths 
or not. □ 

Lemma 3.7. If Pr.^ ((x,e) ^ OA) = 1/or some scheduler 11 then x e Prom{A). 

Proof. Let « be a scheduler such that Pr^ ((x,e) \= OA) = 1. Define X ^ {y eQ\ 
Pr,; ((x, e) 1= ^A Until y) > 0} and observe that xeX. 

We now show that X is promising for A. Let y e X, then Pr^ ((x,e) |= ^A Until {y,E)) > 
0: this is obvious for y = x and, for y 7^ x, the channel can be emptied in the last step of the 
path witnessing ^A Until y. Thus, and since Pr^ ((x,e) |= OA) = 1, there must be some 
path (y,e) ^ iz,w) with z £ A. Moreover if z is the first occurrence of A along this path, 
we have (y,e) ^[x) {z,w). 

Hence X is promising for A, and x G X, so x G Prom(A). □ 

4. DECIDABILITY RESULTS 
4.1 Reachability properties 

In this section we give decidability results for qualitative reachability problems. The ques- 
tions whether there exists a scheduler such that eventuality properties of the form /\, OA, 
are satisfied with probability = 1 (resp. = 0, >0, <1) are all decidable. 

In all cases the problem reduces to several reachability questions in ordinary lossy chan- 
nel systems. 

Theorem 4.1 (Generalized eventuality properties). It is decidable whether 
for a given NPLCS 5\t , location q, sets A\^ . . . ,A„ of locations and reachability properties 
(a), (b), (c) or (d) there exists a scheduler 11 satisfying 

(a) Pr«((^,e) h A OA,)>0,or 

1=1 

(b) Pr„((^,£) 1= A OA,) =0,or 

(=1 

(c) Pr„((^,£) h A OA,)<l,or 

1=1 

(d) Pr«((^,e)|= AOA,) = L 

1=1 
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Furthermore, the existence of a scheduler 11 satisfying (b) entails the existence of a blind 
and memoryless scheduler for (b). The existence of a scheduler satisfying (c) entails the 
existence of an almost blind and memoryless scheduler for (c). The existence of a scheduler 
satisfying (a) or (d) entails the existence of a finite-memory scheduler for (a) or (d). 

The rest of this section consists in the proof of Theorem 4.1. In this proof, we will suc- 
cessively show the decidability of (a), (b), (c) and (d). 

ad (a) of Theorem 4.1: Pr„ { {q,E) |= A OA,) >0. 

(=1 

We first consider the case of a single eventuality property OA. Obviously: 

A is reachable from {q,e) 
iff there exists a scheduler ll with Pr„ ((^,e) |= OA)) > 
iff there exists a memoryless scheduler U with Pr^ ((^,e) |= OA)) > 0. 

Hence the problem reduces to a control-state reachability problem in LTSj: . 

For several eventualities A i , . . . ,A„, one can reduce the problem to the simpler case by 
building a product 9\C x J4 of with a finite-state automaton A that records which A;'s 
have been visited so far x J4 has 2" times the size of 9{, . The existence of a memoryless 
scheduler for 9\C x A directly translates into the existence of a finite-memory scheduler for 
^■ 

Observe that for eventuality properties of the form Bu Pr^ ({q,e.) |= OA A OZ?) > 0, 
memoryless schedulers are not sufficient as the only possibility to satisfy both constraints 
OA and OB might be to visit a certain configuration s twice and to choose different transi- 
tion rules when visiting s the first and the second time. 

ad (b) of Theorem 4.1: Pr„ ((^,e) ^ A OAi) = 0. 

(=1 

n 

We rewrite the question as the existence of V such that Pr,, ((^,e) |= V ^^^i) = 1- or 

i=i 

def " 

equivalently, with Bj = ^A,-, such that Pr,„ ((^,e) |= V ^Bj) = 1. 
The next lemma reduces this question to a simple safety problem. 

n 

Lemma 4.2. There exists a scheduler ll with Pi^i [{q,E) \= V O^/) = 1 if and only if 

1=1 

there exists a blind and memoryless scheduler U with Pr^ ((^,e) |= DBi) — 1 for some i, 
1 < / < «. 

Proof. (-^): is obvious. 

n 

{=>): We assume that Pr„ ((^,e) \= V ^Bi) = 1. 

1=1 

For all / C { 1 , . . . , n}, / ^ 0, let X/ be the set of all locations x such that there exists a finite 
l/-path 71 of the form (^,e) = (.xo,vvo) ^ {xi,wi) ■ ■ ■ ^ {xm,w,„) — (x, w,„) satisfying: 

{jco,. . . ,Xm} C Bi iff / e 7. 

Hence a path such as K above witnesses that x,„ belongs to Xj for I the set of all indices / 
such that % 1= DBj. 

Let { 1 , . . . , n} | x e B,- } . By assumption Ig is not empty and q^Xi^. 
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We now show, for all / 7^ 0, that 

(x,e)^Xyforsome0 7^/C/|. (5) 

This can be seen as follows. Let x G Xj. Then, there is a finite path as above. But then also 

(?,e) {xo,wo) -> (xi,wi) > {xm-uw,„-i) {x,„,e) 



is a « -path. Let x'^yhe the transition rule taken by ll for this path. Then, (x, e) ^ {y, e) . 
Hence, there is an infinite U -path K starting with the prefix 

(^,£) = (xo,Wo) ixi,Wi) > {x,n-l,W,n-l) (jC,e) (y, E) . 

def 

Let J = inly. J is not empty because n \= DB, for some 1 < / < n. Moreover {q,e) = 

{xo,wo) {xi,wi) > {xm-i,Wm-\) {x,e) (y,e) is a witness for y e Xy. Hence 

(x,e) -^Xj. 

We now construct simultaneously an infinite sequence xq,xi,... of locations and an in- 
finite sequence Io,I\,... of sets on indices with xq = q and s.t. Xjt e for A; = 0, 1 , . . . We 

def 

Start with Iq = Iq. At step k, Xk G and (5) entail the existence of a step (xjt,e) — > X/ 
with y C 4. We let Xjt+i be the smallest x gXj that can be reached from Xk (assuming 

def 

Q is totally ordered in some way) and 4+1 ~ J. Observe that /o 3 /i ^ • • • and that /oo 

def 

(= ni(:=o 1 4) is not empty thanks to (5). Observe that a scheduler 1^ that visits xq,x\ 
is blind, satisfies Aig/„ ^Bj, and only needs finite-memory, e.g., recording the current 4. A 
memoryless scheduler U can be obtained from V by always picking, for a location x, the 
rule that 1^ picks last if x is encountered several times in the sequence xq,x\ ,.. .. 11 visits 
less locations than 1^, hence satisfies more properties. □ 

Now, combining Lemmas 4.2, 3.6 and 3.7, one sees that there exists a scheduler U with 

¥xu{{q,t) 1= V DB,) = 1 iff ^ e U"=i'5«/e(5/)' which is decidable since the Safe{Biys 

i=l 

can be computed effectively (section 3.1). This concludes the proof of Theorem 4. 1 (b). 

ad (c) of Theorem 4.1: Pr„ ((^,e) |= A O^/) < 1- 

1=1 

We first observe that 

Pr„((^,e) h A OA,)<l 
(=1 

iff Pr„((^,e) h V □-A,)>0 
(=1 

iff Pr„((^,e) 1= D^A,) > for some /G {!,...,«}. 
Thus, it suffices to explain how to check whether there exists a scheduler Zl with 

Pr„((^,e) |=nB)>0 

where B is a given set of locations. 

The following lemma reduces our problem to a decidable reachabihty question in LTS^ 
(see (c.3)). 

Lemma 4.3. The following assertions are equivalent: 
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(c.l) There exists a scheduler U such that Pr^j ((^,£) |= D-B) > 0. 

(c.2) There exists an almost blind, memoryless scheduler U with Pr^ ((^,e) |= D-B) > 0. 
(c.3) {q,s) ^^B]Safe{B). 

Proof, (c.2) =^ (c.l): is obvious. 
(c.3) =^ (c.2): 

Let 7t be a path witnessing (^,e) — >[g] Safe{B). A scheduler V that tries to follow this 
path reaches Safe{B) with positive probability. If K is simple (i.e., loop-free) U is memory- 
less. Whenever Safe{B) is reached, it is sufficient that U behave as the blind scheduler for 
safe sets (Lemma 3.2). The resulting scheduler is almost blind, memoryless, and achieves 
Pr„((^,e) hnB)>0. 

(c.l) => (c.3): Let « be a scheduler such that Pr„ ((^,e) |= OB) >0. Let 

X^^xeQ Pri,((^,e) 1= □0(x,e)AnB) >o|. 

The finite-attractor property yields that X ^Q). Moreover, each configuration (x, e) with 
x&X is reachable from (^,e) via a li-path where OB holds. Hence, we have 

We now show that X is safe for B, which yields X C Safe{B), and hence (c.3). 

Obviously X C B. Now let x gX. There exists a transition rule 5, = x ^ y such that 

Pr^j ((g',e) 1= □0(x,£) A "5x is chosen infinitely often in (x,e)" A DB) > 0. 

Since ((jc,e),5.i, (y,e)) > 0, we get 

Pr^ {{q,E) \= □0(x,£) A "8.v is chosen infinitely often in (x,e)" A □0(y,e) A DB) > 0. 

Hence, Pr^ {{q,£) h ^"^(j,^) A OB) > 0. This yields y eX. We conclude that there is a 
transition (x, e) ^ X. As this is true for any x GX,X is safe for B. □ 

ad (d) of Theorem 4.1: Pr„ ((^,£) h A O^O = 1- 

1=1 

The case where n = 1 is equivalent, by Lemmas 3.6 and 3.7, to ^ € Prom{Ai), adecidable 
question. Lemma 3.6 shows moreover that a memoryless 11 (the stubborn scheduler) is 
sufficient. 

We now consider the general case. With any / C { 1 ,...,«} we associate a set Xj CQ of 
locations defined inductively with: 

Xt, = Q X, = y Pro;7t(A; nX/\{,}) for / ^ 

By Lemma 3.5 Xj = Prom{\Jj^iAi nX/\{,}). 

Lemma 4.4. For aW / C {1, . . . ,«} there exists a finite-memory scheduler lli such that 
yq e Xi Vw Pr«,((^, w) h A,G/ OA,) - 1. 

Proof. The proof is by induction on (the size of) /. 
For 7 = 0, A,G/ OAj always holds. 
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Let C / C { 1 , . . . ,n}. The definition of Xi entails that there exists a memoryless sched- 
uler 11 (see Lemma 3.6) such that 

iei 

We now derive ll] out of v. 11 1 behaves as U until some configuration {y,v) with y E 
^i\{i} (for some / G /) is reached. From that point 11] switches mode and behaves as 
1li\{i]- By induction hypothesis A;g/\{i} will be satisfied almost surely from {y,v). 
Hence Pr„^ H Aiei^i) = 1- is finite memory, since it has at most one mode for 

each/C {!,...,«}. □ 

Lemma 4.5. For all I C {l,...,n}, i/'Pru((^,e) h A,g/O^0 = 1 for some 11, then 
qeXj. 

Proof. Here again the proof is by induction on /. 
The case / = is trivial since Xn ~ Q. 

Let C / C {1,. . . ,«} and assume Pr^ {{q,£) |= Aig/^^O = 1- We define 

Y = {xeQ\3a 11 -path 71.,- : (^,e) ^^g) (x,e)} 

def 

where B ~ Q\ U,G/^i and show that Y C Xj. For a fixed x G Y, since is a 11 -path, from 
(x, e) there must be a path visiting all the A,'s for ; G /. Consider one such path and let y be 

the first location belonging to some A/ for ; G /. Then 71'^='^ (^,e) ^ (x,e) ^[p.^^^.j {yj£) & 
Aj is again a 11 -path. From {y, e), all the A,'s with / G / \ {/} have to be visited with proba- 
bility one. Let lly be a "suffix" scheduler of 11 given by: lly{{y,e) ■ ■ ■) = 11 {n[ ■■■). 
From the assumption on 11 and the form of we deduce that Pr^^^, ((y, e) |= Aig/ ^^i) = 1 ■ 

By induction hypothesis, y G -'(?\{,}- Hence (x,e) —^[y) (y,^) entails (x,e) — ^[y) U,g/^i 

By definition of Prom (greatest fixed point), Y C ProOT(|J,G/A; nX/\{,}) = X/. As a 
consequence ^ G K implies q E Xj. □ 

Corollary 4.6. The following assertions are equivalent: 

u 

(d.l) r/iere exw/i a scheduler 11 with Piy ((^,e) |= A ^^i) = 1- 

(=1 

(d.2) There exists a finite-memory scheduler 11 with Pv^ ((^,e) |= A ^^() = 1- 

!=1 

(d.3) ?eX{, ,...,„}. 

Hence decidability of (d.3) (see section 3.2) entails decidability of (d.l). 

4.2 Repeated reachability properties 

We now discuss the decidability of repeated reachability problems, formalized by a Biichi 
condition DOA ("visit infinitely often locations in A") or generalized Biichi conditions that 
arise through the conjunction of several Biichi conditions. 

In this subsection, we see that for generalized Biichi conditions and for the three prob- 
abilistic satisfaction criteria "almost surely", "with zero probability" or "with probability 
<r' the class of finite-memory schedulers is as powerful as the full class of (history- 
dependent) schedulers. Furthermore the corresponding problems can all be solved algo- 
rithmically. When the fourth criterion "with probability >0" is considered, the problem is 
undecidable (see section 5). 
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Theorem 4.7 (Generalized Buchi). It is decidable whether for a given NPLCS 
9^C, location q, sets Ai, . . . ,A„ of locations and repeated reachability properties (a), (b) or 
(c) there exists a scheduler U satisfying 

(a) Pr„((<?,8) h A OOAi) = I, or 

i=l 

(b) Pr„((^,e) h A aOAi)=0,or 

i=l 

(c) Pr« h A □OA,)<l. 

Moreover, if such a scheduler exists then there is also a finite-memory scheduler with 
the same property. In case (b), the existence of a scheduler entails the existence of an 
almost-blind and memoryless scheduler In case (c), the existence of a scheduler entails 
the existence of an almost-blind and finite-memory scheduler 

As for Theorem 4. 1 we show the decidability of (a), (b) and (c) in turn. 

ad (a) of Theorem 4.7: Pr^ {{q,e) ^ A nOA,) = 1. 

We prove the equivalence of the following three statements; 

n 

(a.l) There exists a scheduler ll such that Pr,, ((^,e) |= A l^^^i) = 1- 

1=1 

n 

(a.2) There exists a finite-memory scheduler U such that Pr,; ((^,e) |= A ^OA,) = 1. 

1=1 

(a.3) qe f] Safe{Prom{Ai)). 

i=l 

Proof, (a.2) (a.l): is obvious. 

(a.l) (a.3); Let U he a scheduler as in (a.l). Let X be the set of all locations x E Q 
that are visited with positive probabihty under U starting from state {q,e). That is. 



X = {x e e I Pr^ ((^,e) h Ox) >0}. 



Let us show thatX C n"=i Safe{Prom{Ai)). 

Any finite U-path (^,e) ^ s can be extended to an infinite "U-path where DOA,- 
holds (otherwise, DOA,- could not hold almost surely). Hence, for all x e X, there 
must exist some U -path 

71 = (^,£) ^ (x,e) iAi iA2-- - iA„ iAi ••• 

These paths only visit locations in X, hence witness X C Prom{Aj) for all /. In turn, they 
also witness that X is safe for the f rom(A,)'s, hence X C plJLj Safe{Prom{Ai)). One con- 
cludes by noting that q GX. 

def 

(a.3) (a.2): Let Y — C\'i=i Safe{Prom{Ai)) and assume q <eY . For each x <eY and 
i— 1 ,...,« we pick a simple (i.e., loop-free) path 71,., of the form 

(x,e) Ai. 

We design a finite-memory scheduler that works with the modes [x, i) where x e 7 and 
1 < / < n, and recovery modes ; for \ <i <n. Intuitively, in the modes (•,/) 11 tries to 
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reach A,, using the stubborn scheduler for A, (see proof of Lemma 3.6). As soon as A, is 
reached, ll changes to the mode (•,; + 1) and tries to reach A,+i (here and in the sequel, 
we identify mode (x, 1 ) with (jc, n + 1 )). As before, in recovery mode /, 11 just waits until a 
configuration with empty channel is reached, staying in Safe{Prom{Ai)) in the meantime. 
When some [y^t) is eventually reached (which happens almost surely due to the finite- 
attractor property), « switches back to mode (y, Hence, U will almost surely eventually 
reach A,-. But then, U switches to the modes for index / + 1 and the same argument applies 
for the next goal states A,+i. This yields Pr^ ((g',e) H A; D^A,) = 1, and 1/ is a finite- 
memory scheduler □ 

Decidability of (a) follows from decidability of (a. 3) which is established in section 3. 

ad (b) of Theorem 4.7; Pr^ {{q,e) h A ^OAi) = 0. 
Clearly, 

n U 

Pr^ ((^,e) h A °^^') = iff Pr,, ((<?,e) h V = 1- 

1=1 (=1 

def 

Letting B,- = ^A,-, it suffices to show that it is decidable whether there exists a scheduler u 
with 

Pr„((^,e) ^yoOBi)^!. 

1=1 

We show the equivalence of the following statements: 

(b.l) There is a scheduler ll with Pr„ {{q,e) \= V ODB,) = 1. 

1=1 

11 

(b.2) There is a finite-memory scheduler U with Pr^j ((^,e) |= V ODZ?,) = 1. 

1=1 

(b.3) There is a scheduler 'P' with Pr^, ((^,e) h <> U Safe{Bi)) = 1. 

1=1 

Proof, (b.2) =^ (b.l): is obvious. 

(b.l) (b.3): We assume that we are given a scheduler 11 as in (b.l). LetX,- be the set 
of locations x with Pr^ ((^,e) \= □0(jt;,e) A ODB,) > 0. We then have Xi C _S;. We now 
show that 

(i) {x, e) Xi for any x e Xj, and 

(ii) Pr,,((^,e)hOU^i) = l- 

!=1 

Note that (i) yields Xi C Safe{Bi). But then (ii) yields (b.3). 

Proof of (i): Let x G Xj. There exists a transition rule 8 = x ^ y which is enabled in (x, e) 
and such that 

Ptu {{q,e) h □0((x,e) A"5 is chosen for (x,e)") A ODB,) > 0. 

If the transition rule 5 is chosen infinitely often in configuration (x, e) then almost surely 
the step (x,e) — > (y,e) occurs infinitely often. Hence, Pr^ ((^,e) |= □0(x,£) A □0(3', e) A 
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OOBi) > and thus y e X,-. 

Proof of (ii): By definition of Xi, Pr^ {{q,E) |= ODB; A □0(z,e)) = for any z i Xi. 

Hence, since Pr^, ((^,e) h V"=i OOAi) = l,foreachz^X = U^; necessarily Pr^, {{q,e) \= 
□ 0(z,e)) =0. Hence, 

Thus, the finite-attractor property yields Pr^i ((^,e) |= V □0(x,e)) = 1. In particular, 

xex 

n 

Pr„((^,e)h0U^,)=l- 

1=1 

(b.3) =^ (b.2); Let 1^ be a scheduler as in (b.3). By Lemma 3.6, we may assume that 
1^ is memoryless. We then define U as the scheduler that behaves as V until a location 
in [jjSafe{Bi) is reached (this happens almost surely). When a location x G Safe{Bi) is 
reached (for some /), U mimics the so-called "safe" scheduler (blind and memoryless) 
described in section 3.1 for safe sets, and fulfills OSafe{Bj) from location x onwards. Since 
Safe{Bi) C Bi we obtain Pr„ ((^,e) |= V"=i ODB,) = 1. Moreover, ti is an almost bhnd, 
memoryless scheduler. □ 

ad (c) of Theorem 4.7: Pr^^ ((cy,e) |= A DOA,) < 1. 

1=1 

We first observe that for any scheduler ll : 

Pr«((^,e) 1= A OOAi)<l 
1=1 

iff Pr„((^,£) 1= V OD^A,) >0 

1=1 

iff Pr« ((^,e) 1= OD^A,) >0 for some / e {1, . . . ,«}. 

Hence, it suffices to discuss the decidability of the question whether for a given set Z? C g 
there is a scheduler it with Pr,, ((^,e) |= OOB) > 0. 
The following statements are equivalent: 

(c.l) Pr„((^,e) 1= ODB) >0 for some «. 

(c.2) Pru((^,e) \= OOB) >0 for some almost blind and finite-memory Zl. 
(C.3) iq,e)^SafeiB). 

Proof, (c.2) (c.l): is obvious. 

(c.3) ==> (c.2): Assume Safe{B) is reachable from {q,E). Then, there is a finite simple 
(i.e., loop-free) path K from {q,e) to (x,e) for some x e Safe{B). Let U be an almost 
blind, memoryless scheduler which generates the above path 7t with positive probability 
and when/if Safe{B) is reached, behaves as the safe scheduler for B. Clearly, U has the 
desired property. 

(c.l) (c.3): Let W be a scheduler as in (c. 1). We define X to be the set of locations 
X G Q such that Pr„ ((^,e) |= □0(x,e) A OUB) > 0. The finite-attractor property entails 
that X is not empty. Furthermore X is reachable from e) . A reasoning as in the proof of 
(b.l) (b.3) (see proof of (i)) shows that X is safe for B. □ 

The decidability of (c.3) entails that (c) is decidable. 
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5. HARDNESS AND UNDECIDABILITY RESULTS 

In this section we investigate the computational complexity of the problems shown decid- 
able in section 4, and we prove undecidability for the remaining problems. Technically, 
most results are hardness proofs and the involved reductions make repeated use of the 
following "cleaning" gadget. 

5.1 Cleanirng gadget 

The cleaning gadget is the NPLCS shown in Fig. 3. It can be part of a larger NPLCS where 
it serves to empty ("clean") one channel without introducing deadlocks. For a given mes- 



?m 




la !$ 



Fig. 3. Cleaning gadget, assuming $ ^ M 

sage alphabet M = {a, . . .}, the system described in Fig. 3 uses one channel (left implicit) 
and a new message symbol $ ^ M. Letter a in Fig. 3 is a symbol from the original message 
alphabet M. Operations "?m" are used as a shorthand for all |M| + 1 possible reading op- 
erations over the new message alphabet M U {$}. The purpose of $ is to force the channel 
to be emptied when moving from in to out. 

Let T C Conf be set of configurations described by the following regular expression: 

T = (in, M*) + (1, M*($ +e)) + (2, M*$*) + (3, $*a*) + (out,e) 

Lemma 5 . L The configurations reachable from (in, M* ) are exactly those in T. 

Proof Sketch. The left-to-right inclusion can be verified by showing that T is an 
invariant. For instance, from configurations (in, M*) only the configurations in (1, M*($ + 
e)) are reachable within one step, while from (2,M*$*) only configurations in (3,$*) + 
(2, M*$*) can be reached. And so on. The other inclusion is easy to see. □ 

Constructions incorporating the gadget rely on the following property: 

Lemma 5.2. For any we M*: 

(a) IfZl is a scheduler/or the cleaning gadget and V ^ E thenPiii (^{in,w) |=:0(out,v)) = 
0. 

(b) There is a (memoryless) scheduler 11 for the cleaning gadget with Pr,j((in,w) |= 
0(out,e)) = 1. 

Proof, (a) is immediate from Lemma 5.L To prove (b), we describe a scheduler U 

with the desired property. U starts from (in, w), selects the in — > 1 rule, aiming for con- 
figuration (1, $) where (out,e) can be reached. In case a configuration (1, v) with v 7^ $ 
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is reached, ll moves from 1 to 2, goes back to in and retry. This will eventually succeed 
with probability 1 . □ 

Let us remark as an aside that, if one takes properties (a) and (b) above as the specification 
of a cleaning gadget, then it can be proved that any gadget necessarily uses "new" messages 
not from M, like $ in our construction. 

5.2 Complexity of decidable cases 

We consider the decidable cases given in section 4. One problem (reachability with zero 
probability) is in PTIME, and even NLOGSPACE-complete, but all the others are non- 
primitive recursive, as are most decidable problems for LCS's [Schnoebelen 2002]. 

Theorem 5.3. The problem, given NPLCS 5\t, location q and set A ^ Q of locations, 
whether there exists a scheduler 11 such that Pr?j((q',e) |= OA) = 1, is NLOGSPACE- 
complete. 

Proof Sketch. Lemmas 3.2 and 3.3 show that the above problem is equivalent to a 
reachability question in some subgraph of the control graph of L. □ 

Theorem 5.4. The problem given a NPLCS a location q and a set of locations A, 
whether there exists a scheduler 11 satisfying (a.l) (or (a. 2) ... or {b.3)), is not primitive 
recursive. 



In all six cases, the proof is by reducing from the control-state reachability problem for 
(non-probabilistic) LCS's, known to be non-primitive recursive [Schnoebelen 2002]. 

The case (a. 1 ) is the easiest since, by Theorem 4. 1 , it is equivalent to the reachability of 
A from ((70, e) in the underlying LCS of 9\[ . 

For all the other cases, except (a.3), we use the reduction illustrated in Fig. 4. Let L 
be a LCS with only one channel and two distinguished locations and accept. From 
L we build another LCS l' and consider the NPLCS 9{, ^ {l' ,z) for any T e (0, 1). We 
now show that the control-state reachability problem in L (i.e., is accept reachable from 
{qo,E)l) is equivalent to particular instances of our probabilistic problems for iAt . 

l' uses the cleaning gadget and has one further location; success. From every original 
location r of i: , except accept, L ' has a -^/-transition to in, the input location of the clean- 
ing gadget. There is also a transition from out to qo. From accept there is a transition to 
success and one can loop on this latter location. 

The idea of this reduction is that, if accept is reachable from qo by some path Kin L, 
then it is possible for a scheduler to try and follow this path in and, in case probabilistic 
losses do not comply with K, to retry as many times as it wants by returning to qo. The 
cleaning gadget ensures that returning to qo is with empty channel. Note that the only way 
to visit success is to visit accept first. These general ideas are formalized in the next 
lemma. 

Lemma 5.5. In the LCS l' , the following statements are equivalent: 
(i) {qo,€) ^ Prom{{success\), 
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....^■'accept'; 



L 



I . 



cleaning gadget 



Fig. 4. The LCS l' associated with L in Lemma 5.5 



(ii) g'o S f rom({success}), 

(iii) (^o,e) — > success, 

(iv) (^o,£) —* accept, 

(v) (^o,e) ^[x] accept, 

(vi) ^0 G 'Sfl/e(Prom({success})), 

(vii) (^o,e) — > 5fl/e(Prom({success})). 

Here "(q'o,e) — >[£] • • •" means that the path only visits original locations from L. 

Proof, (i) => (ii): Assume (^o,e) ^ Prom({success}) and let (^o,e) ^ (^i,vvi) 
■ ■ ■ ^ {qm,w,„) with qm S Pre<m({success}) be a witness (simple) path. From any qi ^ 
success along this path one may reach (qo,^) via the cleaning gadget. Hence ((7,,e) ^ 
Pre<m(success). All locations along the path from (^o,e) to Pre<m({success}) satisfies 
this property, hence we have qo G Prom({success}). 

(ii) =J> (iii): by definition of Prom{.). 

(iii) (iv): obvious. 

(iv) =^ (v): Assume Jt is a path from {qo,£) to accept. If this path steps out of L 
then it can only go to the cleaning gadget. From there the only exit back to L is via {qo,E) 
(Lemma 5. 2. (a)), looping back to a previously visited configuration. Thus if 7t is a simple 
path, it stays inside L . 

(v) =^ (vi): suppose (^o,e) accept. Then (q'o,e) — > success and s success 
for all configurations of l', either because s is already some (success, w), or because 
s can reach (q'o,e) via the cleaning gadget. As a consequence, all locations of l' are in 
Prom({success}), and then in 5a/e(Pre)OT({success})). 

(vi) (vii): trivial. 

(vii) =^ (i): obvious because Safe{A) C A for any set A of locations. □ 
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Using Lemma 5.5 and characterizations given by Theorems 4. 1 and 4.7 we have: 

311 Ply (((70, e) H ^success) = 1 iff qo G Pre<m({success}) (a.2) 

iff in L, qo accept. 

311 Pr^ ((^o,e) 1= nOsuccess) = 1 iff £ 5fl/e(Prom({success})) (b.2) 

iff in L, qo —i- accept. 

3ll Pr^ ((^o,e) 1= nO^success) = iff G Prom{Safe{Q \ {success})) (b.l) 

iff in L, qo accept. 

3ll Pr.u (((70, e) H nO^success) < 1 iff g'o ^ 2\ {success} (b.3) 

iff in L, qo ^ accept. 

Thus, ^0 — ^ accept, a non-primitive recursive problem, reduces to instances of (a.l), 
{b.2), [b.l) and {b3). 
We now prove case (a.3) of Theorem 5.4, using the reduction described in Fig. 5. 




Fig. 5. Associating l' with an arbitraiy LCS L for case (ci.3) 



Here, with some LCS L as before, we associate an LCS l' by adding two special lo- 
cations sink and success. As in the previous reduction, success is directly reachable 
from accept by an internal action ^, and one can loop on success. 

Now, each transition rule h: q'^ r'm L is translated in l' under the form q-^ h-^ l'^^ 
r, using two intermediate locations 1^ and Zg, and a new message $ ^ M. Thus, moving 
from qtorinL' requires that one removes the extra $ that has just been inserted. This is 

obtained by a full rotation of the channel contents, using extra rules Zg ^ _ ^ /§ that exist 
for each a € M. Finally, in case of deadlocks induced by message losses, one can go to the 
sink location. 

The purpose of this reduction is to ensure that accept and success are the only loca- 
tions from which one can surely, i.e., with probability one, reach success. For all other 
locations, the channel may become empty along the way to accept, forcing the system to 
go to sink. 
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Lemma 5.6. /« iA^ = {l' ,1) the following assertions are equivalent: 

(1) Bzi Pr„ ((^o,e) h Osink) < 1, 

(2) qo ^[^sink] 5fl/e(2\ {sink}), 

(3) ^0 ^[^sink] {accept, success}, 

(4) qo {accept}. 

where here again "(q'o,e) —^[l] ' " " means that the path only visits original locations from 
L. 

Proof. The equivalence between (1) and (2) is given by case (c) of Theorem 4.1. 
Then we show that 5'fl/e(2\ {sink}) = {accept, success}. First {accept, success} C 
Safe{Q \ {sink}) because from accept and success one can loop forever in success 
which is in 2 \ {sink}. On the other hand, if we consider another location q different from 
sink (neither success nor accept) because of the reading operation between Zg and r, 
there is a non-zero probability for the system to lose the message $ and be forced to go to 
sink. Hence Safe{Q \ {sink}) is exactly {accept, success}. Equivalences of (2) with 
(3) and (4) follow from this equality. □ 

Thus the non-primitive recursive problem "does (^0, e) accept" reduces to a special 
instance of problem (a. 3) in Theorem 5.4. 

5.3 Undecidability 

5.3.1 An undecidability result for repeated eventually properties. We will now com- 
bine the cleaning gadget with an arbitrary lossy channel system to get a reduction from the 
boundedness problem for LCS's to the question whether a single Biichi constraint OOA 
holds with positive probability under some scheduler. Recall that an LCS L is bounded 
(also space-bounded) for a given a starting configuration if the set of reachable configura- 
tions is finite. 

Theorem 5.7 (Single Buchi property, positive probability). The problem, 
given y\[ a NPLCS, q a location, and A a set of locations, whether there exists a scheduler 
U such that Pr,; ((q',e) |= DOA) > 0, is undecidable. 

The remainder of this subsection is concerned with the proof of Theorem 5.7. Let L = 
{Qi {c}, M, A) be a LCS with a single channel c and a designated initial configuration {q,t). 
We modify L by adding the cleaning gadget and two locations: success and sink. We 
also add rules allowing to jump from every "original" location in Q to retry or success. 
When in success, one can move to retry with a read or move to sink which cannot be 
left. When in retry, one can go back to (^,e) through the cleaning gadget. The whole 
construction is depicted in Fig. 6. 

Let l' be the resulting LCS which we consider as an NPLCS with some fault rate v. 
5V; = {l' ,1). Since the cleaning gadget lets one go back to the initial configuration of L, 
any behavior of i' is a succession of behaviors of L separated by visits to the additional 
locations. The idea of this construction is the following: if L is bounded, then even the best 
scheduler cannot visit success infinitely often without ending up in sink almost surely. 
However, if the system L is bounded, some infinite memory scheduler can achieve this. 
These ideas are formalized in Propositions 5.8 and 5.9. 
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Fig. 6. The LCS l' associated witli L in proof of Theorem 5.7 

Proposition 5.8. Assume that L starting from {q,£.) is bounded. Then, for all sched- 
ulers Ufor^l ~ i-'^'i'^), Pru((^,e) h nOsuccess) =0. 

Proof. Let ll be any scheduler for 9{, and consider the « -paths that visit success 
infinitely often. Let n be one such path: either 7i jumps from L to success infinitely many 
times, or it ends up in sink. In the last case, n does not satisfy DOsuccess. In the first 
case, and since L is bounded, K can only jump to success from finitely many different 
configurations. Hence, for each such jump, the probability that it ends in (success, e) is 
at least x"\ where m is the size of the largest reachable configuration in L. Therefore, the 
configurations (success, e) will be visited almost surely. As only the transition rule 

success — > sink 

is enabled in (success, s), with probability 1 the location sink is eventually reached. 
Since success is not reachable from sink, the property DOsuccess holds with zero 
probability. □ 

Proposition 5.9. Assume that L starting from {q^B) is unbounded. Then, there exists 
a scheduler U for 9\i = {-L' ,1) with Pr?; {{q,€) \= DOsuccess) > 0. 

Proof. We describe the required scheduler U . Because L is unbounded, we can pick 
a sequence ((?"„, vv„))^^ j ^ °f reachable configurations such that |w„| > n. The scheduler 
works in phases numbered 1,2, .. . When phase n starts, U is in the initial configuration 
(^,e) and tries to reach (r„, w„). In principle, this can be achieved (since (r„,w„) is reach- 
able), but it requires that the right messages are lost at the right times. These losses are 
probabilistic and 11 cannot control them. Thus U aims for (r„, w„) and hopes for the best. 
It goes on according to plan as long as losses occur as hoped. When a "wrong" loss occurs, 
U resigns temporarily, jumps directly to retry, reaches the initial configuration (^,e) via 
the cleaning gadget, and then tries again to reach (r„,w„). When (r„,w„) is eventually 
reached (which will happen almost surely given enough retries), U jumps to success, 
from there to retry, and initiates phase « + L With these successive phases, 11 tries to 
visit success (and retry) an infinite number of times. We now show that it succeeds with 
nonzero probability. 
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When moving from configuration {r„,w„) to location success, there is a nonzero prob- 
ability P/oi,(>Vn,6) that all messages in the channel are lost, leaving us in (success, e). 
When this happens, 11 is not able to initiate phase n + l (moving from success to retry 
requires a nonempty channel). Instead 11 will move to sink and stay there forever How- 
ever, the probability for this exceptional behavior is strictly less than 1, as we have; 

Pr„((^,e) hnOsuccess) =f[(l-P,„,,(w„,e)) >f[(l-T")>0. 

,1=1 ,1=1 

□ 

Observe that the scheduler we constructed is recursive but not finite-memory (since it 
records the index of the current phase). 

Remark 5.10. Proposition 5.9 can be strengthened: if L is unbounded, then for all 
constant c < 1, there exists a scheduler 11 such that Pr^ ((<?,e) |= DOsuccess) > c. 

Corollary 5.11. Let L be a LCS. Then, L is unbounded if and only if there exists a 
scheduler 11 for 91 ^ {l' ,%) such that PTy(^{q,e) |= DOsuccess) > 0. 

This proves Theorem 5.7 since it is undecidable whether a given LCS is bounded [Mayr 
2003]. 

By duality we obtain the undecidability of the problem to check whether Pr^i {{q,E) \= 
ODA) = 1 for all schedulers 11 for a given NPLCS . 

5.3.2 Other undecidability results. We now discuss the decidability of the problem 
which asks for a scheduler 11 where Pr^ {{q,£) |= cp) is 1, <1, = or >0 and where (p 
is an LTL-formula. We begin with the special case of a strong fairness (Streett condi- 
tion) cp = /\i<,<„(nOA, =^ OOBi). We will see that all variants of the qualitative model 
checking problem for such Streett conditions are undecidable when ranging over the full 
class of schedulers. In particular, this yields the undecidability of the LTL model check- 
ing problem when considering all schedulers. However, when we shrink our attention to 
finite-memory schedulers qualitative model checking is decidable for properties specified 
by Streett conditions or even co-regular formulas. 

We first establish the undecidability results when ranging over all schedulers. In fact, 
already a special kind of Streett properties with the probabilistic satisfaction criterion "al- 
most surely" cannot be treated algorithmically: 

Lemma 5.12. The problem, given NPLCS 0\C, sets of locations A, B C Q, and location 
q £ Q, whether there exists a scheduler 11 with 

Pr„((^,e) 1= DOB A ODA)) = 1, 

is undecidable. 

Proof. The proof is again by a reduction from the boundedness problem for LCS as in 
section 5.3.1. Let L be an LCS. We build a new LCS l' by combining L with the cleaning 
gadget as shown in Fig. 7 (this is a variant of the previous construction). Let "^C = [J^' i'^)- 
There exists a scheduler 11 for 'Jsi with Pr,; ((^o,e) H n<>success A OD^f ail) = 1 iff 
L is unbounded (starting from (g'o,e)). 
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Fig. 7. The LCS x' associated with i in proof of Lemma 5.12 

For these two constructions, the "same" scheduler is used in the positive cases. For the 
second construction, the proof for the positive case observes that 

Pru((q'o,e) h □OsuccessAOD^fail) = Hm 77(1-1:^) = 1. 

K=n 

where n stands for the phase number from which fail will not be visited again. □ 

Theorem 5.13 (Streett properties). For the qualitative properties (a), (d) 
below, the problem, given a NPLCS 5\t, location q € Q, andln sets of locations Ai,Bi, . . . , 
An,B„ C Q, whether there exists a scheduler U such that 



(a) Pr„((^,e) h A(nOAi = 
1=1 


> DOB;)) >0, 


(b) Pr„((^,e) h A(nOA, = 
1=1 


> DOB,)) < 1> 


(c) Pr„((^,£) h A(nOA, = 

i=l 


> DOB,-)) = 1, 


(d) Pr„((<?,e) h A(nOA, = 
1=1 


> DOB,)) = 0, 


is undecidable. 




Proof. 





(a) follows immediately from Theorem 5.7 as (DOA,- => DOB,) agrees with DOB if 
we take n = \,A\ ~ Q and B\ = B. 

(b) We show that already the question whether there is some scheduler U with Pr^ ((^, e) |= 
□ OA => dob) < 1 is undecidable where A and B are sets of locations. This follows 
from Theorem 5.7 and the fact that for B = 
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Pr« ((^,e) 1= DOA nOB) < 1 
iff Pr„((9,e) |=-(nC>A^ □OB))>0 
iff Pru((^,£) 1= nOAA On(e\B) ) >0 

=true since S = 

iff Pru((^,e) 1= DOA) >0. 

(c) follows by Lemma 5.12 with n = 2, Ai = Q, B\ = B, A2 = g\ A and B2 = which 
yields 

/\ (UOAi^UOB,) = {UOQ^UOB) A {UO{Q\A)^UO%) 



l<i<n 



=true 

□ OB A ODA. 



=false 



(d) We show the undecidabihty of the question whether Pr^ ((^,e) |= DOA ^ DOB) = 
for some ll where A , Z? C g are given sets oflocations. This follows from Lemma 5. 12 
and the fact that 

Pru ((^,e) ^ DOA ^ nOB) = 
iff Pru((^,e) h=-(nOA^ DOB)) = 1 
iff Pr„((^,e) hnOAAOn(e\B)) = l. 



□ 



Figure 8 summarizes the decidability and undecidability results obtained so far. 
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Fig. 8. (Un)Decidability of qualitative verification 



6. RESTRICTION TO FINITE-MEMORY SCHEDULERS 

In all decidable cases of section 4, finite-memory schedulers are sufficient. In this section 
we consider the problems of section 5, considering only finite-memory schedulers. With 
this restriction, all problems are decidable. 

We first give an immediate property of finite-memory schedulers which will be used in 
the whole section. 

Proposition 6.1. For any finite-memory scheduler U and any location q we have: 
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(a) If p is a location, u a mode in 11 and ifT denotes the set of all configurations t that 
are reachable from {p,e)i, by U then 

Pr„ ((^,8) h □0(p,e)„) = Pr„ ((^,£) |= f\ UOs) 

(b) Pr„ ((^,e) h nOA) = Pr^ ((<?,e) h ^OA^). 

Proof, (a) If configuration in the Markov chain MCy is visited infinitely often then 
almost surely all direct successors of i„ are visited infinitely often too. We now may repeat 
this argument for the direct successors of the direct successors of s„, and so on. We obtain 
that almost surely all configurations that are reachable from i„ are visited infinitely often, 
provided that s„ is visited infinitely often. 

(b) follows from (a) using the fact that the set of all {p,e)u for p a location and u a mode 
of 1/, is a finite attractor, and observing that if {a,w) is reachable within one step from 
configuration s then so is (fl,e) as all messages can be lost. □ 

Observe that the existence of a scheduler U for which a Biichi property holds with 
positive probability, does not imply the existence of a finite-memory scheduler with the 
same property. This is a consequence of Theorem 5.7 and the next Theorem (6.2). 

Theorem 6.2 (Generalized Buchi, positive probability). The problem, given 
NPLCS location q (z Q, and sets of locations Ai, . . . ,A„ C Q, whether there exists a 
finite-memory scheduler ll such that Pr^ {{q,e) 1== Ai<,<;i ^OA,) > 0, is decidable. 

Proof. We show that the following statements (1) and (2) are equivalent: 

(1) there exists a finite-memory scheduler « such that Pr,; ((g',e) 1= A □OA,)>0. 

l<Kn 

(2) there exists a location x £ Q such that 

(2.1) {q,e)^{x,e) 

(2.2) there is a finite-memory scheduler 1/" with Pr^ \= A nOA,) = 1 

l<i<;i 

This will prove Theorem 6.2 since by Theorem 4.7 (a), there is an algorithmic way to 
compute the setX of locations x such that Pr^ ((x,e) |= Akkh ^OA,) = 1 for some (finite- 
memory) scheduler 1^. We then may check (2.1) by an ordinary reachabiUty analysis in 
the underlying LCS. 

Let us show the equivalence of (1) and (2). 

(1) =J> (2): Let 1/ be a finite-memory scheduler as in (1). The finite-attractor property 
and Proposition 6. 1 yield that there is some location x and mode u of U with 

Pr„((^,e)h A n^A,A/\ □Of)>0 

l<i<;i teT 

where T is the set of configurations that are reachable from (x,e)„ under U. Using defini- 
tion of T, this yields T nA, 7^ for 1 < / < n. Thus, scheduler ll starting in (x,£) in mode 
u visits almost surely any configuration in T infinitely often. Hence, it visits any set A,- for 
/ = !,...,«, infinitely often (with probability one). That is: 

Pr„((x,e)„h A OOAi) = h 

l<i<n 

and (2) holds. 
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(2) =^ (1): Let q, x and 1^ be as in (2). We define 11 as the finite-memory scheduler 
that generates with positive probabiUty a path from {q,s) to (x,e) and behaves as 1^ from 
(x,e) on. Clearly, we then have Pr,„ ((^,e) |= Ai<,<„ ^^^i) > 0. □ 

We now present algorithms for the four variants of qualitative model checking of Streett 
properties for NPLCS's when ranging over finite-memory schedulers. 

Theorem 6.3 (Streett properties). For qualitative properties (a), (d), the 
problem, given NPLCS 5\t , location q € Q, and 2n sets of locations Ai^Bi, . . . ,A„,B,i C Q, 
whether there exists a finite-memory scheduler 11 satisfying 

(a) Pr« ((^,e) ^ A {^OM => DOB;)) < 1, 

l<i<;i 

(b) Pr,; ((^,£) 1= A (nOA, => DOB,)) >0, 

l<i<n 

(c) Pr„ ((^,e) h A (nOA/ ^ DOB,-)) = 1, 

1<I<H 

id) Pr„ ((^,£) h A i^OAi OOBi)) = 0, 

l<i<n 

is decidable. 

We prove each assertion in the rest of this section. 

ad (a) of Theorem 6.3: Pr„ {{q,e) \= A (nOA; ^ nOB,)) < 1. 

l<i<n 

Let us consider the dual problem whether, for all finite-memory schedulers 11 , 

n 

Pr„ {{q,^) h/\{aOA. => nOB.)) = 1 
1=1 

Clearly, the above holds iff 

Pr„ {{q,e) 1= OOAi ^ DOB;) = 1 

for all finite-memory schedulers 11 and all indices i — !,...,«. Thus, it suffices to present 
an algorithm that solves the problem whether Pr^ ((^,e) |= DOA OOB) = 1 for all 
finite-memory schedulers 11 where A and B are given sets of locations. The latter is equiv- 
alent to the non-existence of a finite-memory scheduler 11 such that 

Pr„((^,e) hnOAAOn(e\B))>0. 

We now explain how to check this condition algorithmically. Let 91 ' be the NPLCS that 
arises from by removing all locations b G B. To ensure that any configuration has at 
least one outgoing transition, we add a new location fail with 

— a self-loop f ail ^ fail and 

— transition rules p ^ fail \f p'^b for some location b G B. 

Using Theorem 6.2, we can compute the set P of locations p G Q\B such that there is a 
finite-memory scheduler for 5V;' with Pr^j/ ((p,e) 1= DOA) > 0. That is, 

there is some finite-memory scheduler 11 for 91 1 
with Pru ((/:>,£) 1= DOA A □^B)>0 J' 

We show the equivalence of the following two statements: 
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(1) . Pry(((7,e) 1= □ OA A OD^B) >0 for some finite-memory scheduler « for?v;, 

(2) . Pr^((^,e) h^^)>Ofor some finite-memory scheduler 1^ for fA^ . 

(1) =4> (2); Let Z/ be a finite-memory scheduler as in (1). By Proposition 6.1, we may 
conclude that there exists a location a eA and a mode u such that 

Pr,„((^,e) 1= /\ DOj-AOn^B) >0 

where T is the set of states that are reachable in the Markov chain MC^j from (a,e)„, i.e., 
from configuration (a,e) in mode u. We then have T OB = & and 

Pr„((fl,e)„ 1= /\ DOsAOa^B) =Pr„ ((«,£)„ |= DOAAO^B) = I. 

Hence, a e P and Pr„ ((^,e) h OP) >0. 

(2) (1): Let 1^ be a finite-memory scheduler as in (2). For any location p eP, there 
is a finite-memory scheduler Up such that 

Vr.u,X{lh^) |=nOAAn-B)>0. 

We now may compose 1^ and the schedulers Up to obtain a finite-memory scheduler U 
which first mimics 'P until we reach a configuration (/5,e) for some p G P (which hap- 
pens with positive probability) and which then behaves as Up. Clearly, we then have 
Pr„ ((^,e) 1= aOA A Oa^B) > 0. 

ad (b) of Theorem 6.3: Pr„((^,e) 1= A (nOA,- =^ nOB,)) >0. 

l<i<n 

Let / C {!,...,«} and 9\ijhe the NPLCS that arises from by removing the locations 
b GA, where i E { 1 , . . . , n} \ /, and adding a new location f ail as in the proof of ad (a) (of 
the present Theorem). 

Let Cj be the set of locations z G Q such that Pr„ ((z,e) |= /\,g/nOB,) = 1 for some 
(finite-memory) scheduler U for 5\t /. Note that under such a scheduler U the new location 
fail is not reachable from (c,e). Then, we have z e C/ iff there exists a finite-memory 
scheduler W - for the original NPLCS 9\[ with 

Pr«,((z,e) HALO'S,- A /\ D-A,) = L 

iel ie{i n} 

In particular, Pr^. ((z,e) ^ A (nOA,- ^ nOB,)) = 1 for all zeZ. 

i=l 

The C/'s can be computed with the technique explained in the proof of Theorem 4.7 
(part (a)). Let C be the union of all C/'s. Then, the following statements are equivalent: 

(1) . C is reachable from {q,e) 

n 

(2) . Pr^ ((^,e) 1= A i^OAi □OB,)) > for some finite-memory scheduler U . 

(1) => (2): Let us assume that C is reachable from (^,e). Then, there is a memoryless 
scheduler Ui„it such that Pr?;,.„, ((<?,e) |= OC) > 0. Hence, there is some z G C such that 

Pr«,„,((^,e)|=O(z,e))>0. 

We then may combine «,„,y and to obtain a finite-memory scheduler U with the desired 
property. 
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(2) => (1): Let us now assume that « is a finite-memory scheduler such that 

u 

1=1 

Then, there is some / C {!,...,«} such that 

Pr«((^,e) |=/\nOB, A/\On-A,)>0. 

iei i^i 

The finite-attractor property yields the existence of some location z and a mode u of ll 
such that 

Pr„ ((^,e) h □0(z,e)» A /\ aOB, A /\ On-A,-) > 0. 

As visiting (z,e),, infinitely often ensures that almost surely all configurations that are 
reachable from {z,e)u are visited infinitely often too (see Proposition 6.1), we obtain 

iei i^i 

Hence, zEC] CC. This yields that C is reachable from {q,£). 
ad (c) of Theorem 6.3: Pr„ ((^,e) |= A (DOA,- ^ DOB,)) = 1. 

l</<n 

Let C be as in the proof of ad (b). We establish the equivalence of the following state- 
ments: 

n 

(1) . Pr^ ((^,e) 1= A (nOA,- □OB,)) = 1 for some finite-memory scheduler U, 

1=1 

(2) . Pry {{q,E) \= OC) = 1 for some finite-memory scheduler 'U . 

(2) (1): Let 1/ he a finite-memory scheduler such that Pr^ ((^,e) H ^C") = I. For 
zEC, let U- be a finite-memory scheduler as in the proof of assertion (b). That is such that 

n 

Pr«,((z,e) 1= /\(nOA,^ DOB,-)) = 1- 

1=1 

Then, we may compose 1^ and the finite-memory schedulers tl- to obtain a finite-memory 
scheduler U such that 

II 

Pr,^, {{q,e) ^/\{DOAi => DOBi)) = 1. 
1=1 

Starting in {q,£), 11 mimics 1^ until a configuration (z,w) with z e C is reached (this 
happens with probability 1). Then, for w 11 chooses the transition rule 



that 11- chooses for (z,e) in its initial mode. Note that 5,; is enabled in (z,w), and all suc- 
cessors of (z,vv) under 5^ have the form (y, w') for some channel valuation W . Moreover, 
location y belongs to C as 11- induces a scheduler lli with 

n 

Pr^j^((3',e) \= f\{UOA, => DOB,-)) = I. 

1=1 
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Hence, if w' 7^ e then tl may choose the transition rule 5, that lly chooses for its start- 
ing configuration {y,e). U continues in that way until it reaches a configuration {x,€). 
(The finite-attractor property ensures that this happens with probability 1.) The above 
construction ensures that x e C. After reaching (x,e), U behaves as ensuring that 

n 

A (nOA; ^ DOB,) holds almost surely. 

1=1 

(1) =4' (2): Let 1/ be a finite-memory scheduler such that 

n 

¥ru{{q,£)\^ f\{UOA,^UOB,))^\. 

!=1 

We show that: 

For any location p ^ Q: if Pr„ ((?,e) |= □0(/7,e)) >0 then p eC. (*) 

Using the fact that Pr„ ((^,e) |= Vpeg □0(/:),£)) = 1, (*) yields Pr„ {{q,&) |= OC) = 1. 

Proof (OF (*)). Assume that m is a mode in « such that Pr„ ((^,e) ^ □0(/7,e)„) >0. 
Let T be the set of states that are reachable from {p,E)u in the Markov chain for tl. Then, 
by Proposition 6.1: 

Pr«((^,e) 1= /\nOf)>0. 

reT 

Hence, 

n 

Pr„ ((^,e) ^ /\notA /\{noAi => nOB,)) > 0. 

teT i=i 

Let / be the set of indices ; G { 1 , . . . , «} such that T n A,- 7^ 0. Then, T n B, 7^ for all / e /. 
Hence, 

Pr„((;9,e)„ h A°0-S, A/\n-A,) = 1. 
iei it^i 

Thus, peQCC. □ 

ad (d) of Theorem 6.3: Pr„ ((^,e) h A i^OAi => nOB,)) = 0. 

!<!<« 

We deal with the negation of the Streett formula: 

n n 

Pr«((^,e) ^/\{UOAi^aOBi))=Q iff Pr„((^,e) ^XJ {aOAf AOU^Bi)) = \. 
1=1 1=1 

Thus, it suffices to establish the decidability of the question whether there is a finite- 

u 

memory scheduler U with Pr„ ((^,£) |= V (DOA,- A OD^B,)) = 1. 

(=1 

For ; e { 1 , . . . , n}, let 5V; ,■ be the NPLCS that arises from 9{, by removing all locations in 
B,, possibly adding a new location fail (as in the proof of case (a)). Let C, be the set of 
locations z G Q such that there exists a scheduler Hi for iAt ,■ with 

Pr„,((2,e) h°^^-) = 1- 
The set C, can be computed with the techniques sketched in Theorem 4.7 ad (a). Then, 
z G Ci iff there exists a scheduler Zlj for the original NPLCS !A[ with 

Pr„,((z,e) h°^^-An-B,) = 1. 
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Let C = Ci U • • • U C„. Then, the following two statements are equivalent: 

(1) . There is a finite-memory scheduler 1/ with Pru ((^,e) 1= V (DOA,- AOD^B,)) = 

l<i<n 

1. 

(2) . There is a scheduler 1^ with Pr^ {{q,€) |= OC) = 1. 

(1) => (2): Let U be as in (1). Assume Pr^ ((^,£) ^ OC) < \. Then, 

Pr,,((^,e)hn(G\C))>0. 
By the finite attractor property there exists a location x such that 

Pr,,((^,e) hnO(-^,e)An(e\C))>0. 

As U is finite-memory there is a mode u of 11 such that the above condition holds for [x, e) 
in mode u, that is, 

Pr„((^,e) |=no(x,e)„An(e\C))>0. 

Let T be the set of configurations that are reachable from (.Y,e)„ in the Markov chain 
induced by U , MC^ ■ Then, almost surely U visits all configurations in T infinitely often 
when starting in (x, e) in mode u. We then have m { (z, vv) e Conf | z e C} =0, and hence, 

rn{(z,w) e Conf :zeC,} =0, /=!,...,«, 

which gives us 7" n A, = or m B,- 7^ for any / G { 1 ,...,«} . But then, 

II 

Pr«((x,e)„ ^\|{^OA,^OUBt))^Q. 

!=1 

Since Pr^ {{q,€) 0(x,e)„) >0 this yields 

Pr„((^,e) \^\l{UOAihOUB,))<\, 

i=l 

which contradicts assumption (1). We conclude Pr^ {{q,€) \= OC) = 1. 

(2) =^ (1): Let 1^ be as in (2). We may assume that 1^ is memoryless (see Lemmas 3.7 
and 3.6). For any location z G C, we choose a finite-memory scheduler 'P- for such that 

Pr^^((z,e) h(n^^-AOnB,-)) = 1 

for some / e {!,... ,«}. Let U be the finite-memory scheduler that first behaves as 1^, 
reaching C almost surely, and which, after having visited a location z G C, mimics the 
schedulers 'P, as follows. When entering C the first time, say in configuration (z,w) where 
w 7^ e, then U goes into a waiting mode where it waits until a configuration (z' , e) with 
z' G C has been entered. From this configuration (z',e) on, U behaves as 1^^/. In the waiting 
mode, 11 chooses the same transition rule for (z, w) as V, for the starting configuration 

Note that the configurations obtained from (z, w) by taking this transition rule have the 
form (z' , w' ) where z' G C. This is because (z' , e) is a successor of (z, e) under this transition 
rule. Hence, induces a scheduler under which (z',e) fulfills DOA, A ODB, almost surely 
for some index ;. This yields z' G C, C C. 

The finite attractor property yields that 11 will eventually leave the waiting mode. Thus, 
11 has the desired property. 
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7. CO-REGULAR PROPERTIES 

We now consider qualitative verification of co-regular linear-time properties where, as be- 
fore, we use the control locations of the underlying NPLCS as atomic propositions (with 
the obvious interpretation). 

For algorithmic purposes, we assume that an co-regular property is given by a determin- 
istic (word) Streett automaton with the alphabet Q (the set of control locations in the given 
NPLCS). Other equivalent formalisms (nondeterministic Streett automata, nondetermin- 
istic Biichi automata, /j-calculus formulas, etc.) are of course possible. The translations 
between them is now well understood. See, e.g., the survey articles in [Gradel et al. 2002]. 

A deterministic Streett automaton (DSA for short) over the alphabet Q is a tuple A = 
{Z,a,ZQ,Acc) where Z is a finite set of states, a . Z x Q ^ Z the transition function, zo G 
Z the initial state, and Acc = {(Ai,Z?i), . . . , {A„,B„)} a set of pairs (A/,B,) consisting of 
subsets Ai,Bi C Z. Acc is called the acceptance condition of A . Intuitively, Acc stands for 
the strong fairness condition \\t^ = A"=i(nOA; ^ DOB,). The accepting language L{a) 

consists of all infinite words qo,qi,q2, ... £ 2" where the induced run zo'^ z\ ^ zi-^ ■ ■ ■ 
in A (which is obtained by starting in the initial state zo of J4 and putting zj+i = o{zj,qj), 
j = 0, 1,2, . . .) is accepting, that is, for all ; G {1, . . . ,«}, Zj £ A, for at most finitely many 
indices j or zj G Bj for infinitely many indices j. For a path K of some NPLCS with state 
space Q, we write A when K (more precisely, its projection over 2") belongs to L{j4 ). 
Since Streett properties are co-regular. Theorem 5.13 immediately entails: 

Corollary 7.1 (co-regular properties). The problem, given NPLCS ^, loca- 
tion q £ Q, and DSA A, whether there exists a scheduler U with Pr^ ((<?,e) Sl)= 1 (or 
<1, or = 0, or >0j, is undecidable. 

More interesting is the fact that our positive results from section 6 carry over from Streett 
properties to all co-regular properties: 

Theorem 7.2 (co-regular properties, finite-memory schedulers). The prob- 
lem, given NPLCS 9^, location q £ Q, and DSA A, whether there exists a finite-memory 
scheduler 11 such that Pi^j (('ZiE) \~ A^ ~ I (or <l, or ~ 0, or >0), is decidable. 

The extension from repeated-reachability properties to co-regular properties follows the 
standard automata-theoretic approach for the verification of qualitative properties: one 
reduces the question whether 9\[ is accepted by to a repeated-reachability property over 
the "product" 9\i x A (see, e.g., [Vardi 1999]). We briefly sketch the main steps of the 
reduction which yields the proof for Theorem 7.2. 

Let 5V; be a NPLCS and A a DSA as before. The product ?v; ' = 5V; x is a NPLCS 
where: 

— locations are pairs {p,z) where p E Qis a location in 9\[ and zE Z a state of A, 
— the channel set and the message alphabet are as in 9V^ , 

— (f,^) is a transition rule in x A if and only if p ^ r is a transition rule in 5V; 
and z' ~ <yiz,p)- 

Then, each infinite path 7t in 5V; , of the general form 

(90, wo) {quwi) (^2,^2) (^3,W3)--- (n) 
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is lifted to a path %' in 9i x S4 

(qo.zo.wo) {qi,Zl,Wl) (^2,22, W2) ^ {q3,Z3,W3)--- (n') 

where zj+i '= o{zj,qj) for all j e N. Thus, zq ^ Zi ^ zi ^ ■ ■ ■ is the (unique) run of J4 on 
(the projection of) n. Vice versa, any path k' in x A arises through the combination of 
a path in 9\[ and its run in A . 

Assume the acceptance condition of A is given by the following Streett condition: = 

A ■=! i^OAi =^ aOBi) with A,-, B,- C Z. Then, letting " Q x A; and B'- " Q x Bi, we equip 
5V; X J? with the acceptance condition Acc' = {(A;,B;) :!</<«} which corresponds to 
the following Streett condition ii/,^^ : 

u 

/\{aoA',^aoB',) (v^,^) 
1=1 

Lemma 7.3. Let % be a path in 9^C andn' the corresponding path in 9^C'. Then, %\= Ji 
if and only ifK'\=^\t^^^. 

This correspondence between paths in and paths in fA£ ' allows to transform any sched- 
uler U for 91 into a scheduler 'U for ' such that the probability agrees and vice versa. 
More precisely: 

Lemma 7.4. Let p G [0, 1], then there exists a finite-memory scheduler U for 5\f such 
that Pr^ ((^, e) ^ J? ) = p iff there exists a finite-memory scheduler 1^ for 9\[ x A s.t. 

Pr^((^,zo,e) h¥5v;x;?) 

The proof is as in [Courcoubetis and Yannakakis 1995, section 4], the basic ingredient 
being that is deterministic. 

Lemma 7.4 reduces the verification of qualitative co-regular properties over £V^ to the 
verification of qualitative Streett properties over rA^'. Decidability is then obtained with 
Theorem 6.3. 

8. CONCLUSION 

We proposed NPLCS's, a model for lossy channel systems where message losses occur 
probabilistically while transition rules behave nondeterministically, and we investigated 
qualitative verification problems for this model. Our main result is that qualitative verifica- 
tion of simple linear-time properties is decidable, but this does not extend to all co-regular 
properties. On the other hand, decidability is recovered if we restrict our attention to finite- 
memory schedulers. 

The NPLCS model improves on earlier models for lossy channel systems: the original, 
purely nondeterministic, LCS model is too pessimistic w.rt. message losses and nonde- 
terministic losses make liveness properties undecidable. It seems this undecidability is 
an artifact of the standard rigid view asking whether no incorrect behavior exists, when 
we could be content with the weaker statement that incorrect behaviors are extremely un- 
likely. The fully probabilistic PLCS model recovers decidability but cannot account for 
nondeterminism. 

Regarding NPLCS's, decidability is obtained by reducing qualitative properties to reach- 
ability questions in the underlying non-probabilistic transition system. Since in our model 
qualitative properties do not depend on the exact value of the fault rate 1, the issue of what 
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is a realistic value for T is avoided, and one can establish correctness results that apply 
uniformly to all fault rates. 

An important open question is the decidability of quantitative properties. Regarding this 
research direction, we note that Rabinovich [2003] investigated it for the fully probabilistic 
PLCS model, where it already raises serious difficulties. 
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A. PROOF OF LEMMA 3.5 

The goal is to prove that given A and B sets of locations, Prom{A U B) = Prom{A) U 
Prom{B). One inclusion is trivial: Prom{A) UProm{B) C Prom{AU B). We prove here 
the reverse inclusion. In fact we build a scheduler that, starting from any (x, e) for x E 
Prom{AU B), will ensure visiting eventually A or visiting eventually B, and the choice 
between A and B is fixed (given x). Lemma 3.7 then yields Prom{A UB) C Prom{A) U 
Prom{B). 

For each x E Prom{A U B) we pick a simple path to A U B, that only visits locations of 
Prom{A U B). Such a path exists by definition of Prom, we denote it 

TT, : (x,e) = {x\wl) % % {x\wl) • • • ^ {x"\W:^) 

with x'" e A UB and x' e Prom{A UB) for / < m. By convention, we let x' = when 
i > |7tv|. For example, given the system depicted in Fig. 9, with A = {3} and B = {6}, 




Fig. 9. Running example for tlie proof of Lemma 3.5 



one has Prom{AU B) ~ {1,2,3,4,5,6} and a possible choice for the paths Kx is given in 
Fig. 10. 

We now define a sequence iPo, !Pi , ■ ■ ■ of partitions of Pmm{AUB). In general is some 
{Bj,B2, . . .} and each class B^ £ (Pk comes with a fixed element b^^ called its representative 
(which is underlined in the examples). The first partition is composed of all singletons: 
2'o = {{x] I X E Prom{A UB)}. Partition T^+i is coarser than iP^: each class in Tk+i is 
the fusion of (possibly only one) classes of Vj^. Assume 2"^ is given: fP^ = {Bj, . . .} with 
{Zjj, . . .} as representatives. We define a mapping /t+i between the classes of £P<.. For any 
class By, we consider its representative foj, shortly written x, and associate with By the class 
to which (the A: + 1-th location on 71^) belongs. In our running example fi is given on 
Fig. 10. 

Jti (l,E)^(2,«)^(6,E) /,({!}) = {2} 

312 = (2,E)^(2,fo)^{l,foc)^(2,c)^(3,E) /,{{2}) = {2} /4({1,2}) = {3} 

Jts = (3,E) /,({3}) = {3} /4({3}) = {3} 

M (4,E)^(4,fo)^(4,fcfo)^(5,fo)^(6,£) /i({4}) = {4} /4({4,5}) = {6} 

Jt5 =* (5,E)^(4,fo)^(4,fo/,)^(5,fo)^(6,£) /,({5}) = {4} 

(6,E) /,({6}) = {6} /4({6}) = {6} 



Fig. 10. Running example (continued): paths %x with mappings f\ and 
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The mapping /i+i induces an oriented graph (of out-degree 1). The classes of I'l^^i are 
obtained by fusing the classes of fP^ which belong to the same connected component in this 
graph. For example, in Fig. 11, the classes Bj, ^4 ^"d are fused. The repre- 




Fig. 11. Constructing rP^^i by fusing equivalence classes from fFj. 

sentative forB^'^' is arbitrarily chosen among the representatives of the Bf's that compose 
the strongly connected component {b^ or b'^ in Fig. 11). Back to the running example, 
we derive = {{1,2}, {3}, {4,5}, {6}} with 2,3,4,6 as representatives (no choice here). 
Partition CPi is stable by /2 and 

/2,/3: {1,2}^{1,2} {3} ^{3} {4,5} ^{4,5} {6} ^ {6} 

Hence S'3 = fp2 = iPi . Mapping /4 is given in Fig. 10. We deduce !P4 = {{1,2, 3}, {4, 5, 6}} 
with 3 and 6 as representatives (no choice either). 

It is clear that CPk+i is coarser than ¥k and that a representative at level ^+ 1 was already a 
representative at level k. Hence the sequence eventually stabilizes (the state space is finite). 
We denote fPoo = {B", . . .} the partition in the limit. In the running example Voo = ¥4. 

This whole construction is geared towards the following: 

Lemma A. 1 . For all k > \, there exists a scheduler ilk such that, for every class B^p 
and writing y for bp 

Vx e B^ Vw e M*^ Pr„, ((x, w) |= 0(/, w^^)) = 1 (*) 

In other words, at step k of the construction there exists a scheduler that, starting from a 
location X with arbitrary channel content, ensures (with probability one) we'll visit the A:-th 
configuration on Ky where y is the representative for x in ^P^. When k is large enough, more 
precisely larger than all \Kx\'s, (*) states that Uk guarantees reaching A (or B, depending 
on x) with probability one, which concludes the proof of Lemma 3.5. 

Proof (of Lemma A. 1). The proof is by induction on k. 

We first prove the case k = 1. Let x be a location in some class B' having {y =)b] 
as representative. The behavior of "Ui is simple; in any configuration (z,v), Vi fires 89. 
Going on this way, Uy eventually ends up in the strongly connected component (w.r.t fy). 
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Because of the finite-attractor property, the configuration {y, e) is visited infinitely often 
almost surely. Hence, ll i will succeed in reaching (y' , w| ) from {y, e) by 5' . 

Assume now that for some A: > 1 there exists Ui^ ensuring (*). We consider £P<.+ i and 
build Uk+i, using Uk- Let x € B^'^' (it may help to look at Fig. 1 1). Starting from (x, w), 
llk+i behaves as until {y^ ,Wy) is reached. Then it fires 5^ and ends up in (/■+',w') for 
some channel content w'. y'^^' is a location of B^, = /t+i (fif ); let z = b^i be its represen- 
tative. From configuration w'), llk+i behaves again as Uk and eventually reaches 
(z'^jW^) with probability one. Iterating this process (alternation of V/^'s behavior and one 
step transition), Uk+\ will eventually end in the strongly connected component of B^^'. If 
t is the representative for this class in iPk+i, because of the finite-attractor property (f,e) 
is visited infinitely often, almost surely. Hence, Ua+i will in the end succeed and reach 
(f*^+' , Wf^^ ) using Uk until (f*^, ) and then performing 5f . □ 
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